tech-net: Re: random ip_id must be configurable

Subject: Re: random ip_id must be configurable
To: None <jonathan@DSG.Stanford.EDU>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: tech-net
Date: 09/12/2003 06:58:22

> >	randomizing IP fragment ID field is independent from attacks against
> >	DNS ID field.  therefore the discussion on DNS ID field has nothing
> >	with randomizing IP fragment field.
> what, then,  is the justification for this change?

	predictable IP fragment ID allows malicious parties to inject bogus
	fragment to your traffic, prohibiting your peer from reassembling your
	fragments.  it is a very common knowledge that predictable IP fragment
	ID is a bad thing.  nessus (http://www.nessus.org/) raises warning
	if your system uses predictable ip_id field.  for instance, see this
	thread (on freebsd):
	http://archives.neohapsis.com/archives/freebsd/2001-04/0243.html

itojun